Yubikey – the most effective protection against phishing and account takeover
Phishing – who has not had to deal with this, how old, but still an effective technique for taking over someone else's information, that all of us want to protect on its own way and as best. Repeatedly in the various articles suggested, how to protect yourself and your friends from social engineering, mass and targeted, where well prepared attack on company most likely sooner or later will have to the attacker's happy ending. But is it effective using Yubikey keys?
Now let's leave aside any recommendations "safe" to use the computer, email, social networks, etc., because here's introducing the Yubikey is probably the most effective tool to prevent phishing attacks and unauthorized Internet account acquisitions, what ever we had to deal with.
Yubikey is a "key" to protect your account
If you have a mail from Google (Gmail) account on Dropbox, Google + YouTube, Github, Facebook,
Although the "middle" principle of the Yubikey opera about modern cryptographic methods, it is for the average user does not really matter-for him only the security issue, which is achieved through strong two-factor authentication (2FA) using public and private PGP key with a very strong encryption, RSA 4096, which was used m.in. in Cryptolockerze (and to this day not found methods to decrypt files after the attack of this pest). In this way, the user is protected from phishing, catching session, attacks man-in-the-middle attacks and malware attacks. What's more, this method is easy to use:
- has been running after "out of the box" in cooperation with the browser Chrome and Firefox coming soon
- enables immediate authentication to any number of Web services,
- and what's also important – provides high privacy by generating a new key pair when you sign in to each Web site.
Yubikey in practice
The practice does not differ too much from this, that you meet each day during the use of Web services in support of additional account security in the form of one-time codes via SMS when you log in.
Step 1: depending on the variant of the Yubikey, the price varies. Yubikey found already official distributor (company ePrinus), although the product is offered by the partner ePrinus, InBase (inbase.pl), which specializes in consulting in the information and personal data protection and in providing security solutions and services.
Automatic and two-factor authentication with key Yubikey is carried out in several ways:
1. Standard key Yubikey 4 and version of the Yubikey NANO on computers that have a USB connector.
2. Yubikey authentication in addition to user support USB NEO NFC to a mobile device.
3. The cheapest version of the Yubikey FIDO U2F Security Key does not support encryption RSA 4096, but ECC-p256 and is dedicated only to computers with USB ports.
Step 2: enable authentication U2F in website, which they support. At the moment these are: Gmail, Dropbox, Google + YouTube, Github, Facebook,
For example, for the Google services, go to the logon settings, turn on the two-stage verification using codes SMS (if not using this security), then "add key" (for now works only with Chrome) and follow the simple instructions.
Step 3: Now, when you try to log on to Gmail or any other service that supports U2F you traditionally enter login and password – and instead of SMS codes, which can be intercepted by malicious software – simply connect the Yubikey into your USB port or (in the the case of Yubikey NEO) approach the key to mobile NFC communication enabled.
All of this, I just logged in you have to your website in a very secure way.
The magic of cryptography
All of the cryptographic magic "takes place" when you log on to the site with the browser API that verifies Web page address and authentication using public-key cryptography. This means that if the URL does not match (for example, it may be a fake page created for a phishing attack: hxxp://gmail-account.com), is unaware of the risks, you will not be able to log on to the counterfeit site popular the site, and what is important is that the attacker will not be able to get the second component required to log in to someone else's account.
At the present day U2F supports Google Chrome browser (Firefox coming soon). Yubikey keys may be used with Windows, Linux, Mac OS, Android, iOS, and wherever it is possible to run the Google Chrome browser, a computer or mobile device has a USB port/NFC.
The disadvantages of this solution, we need to include the fact that, in the event of a lost key, you will not be able to log on to the service. To protect against this, you may purchase a second key, and "pair" it from the account, but this involves additional costs. In the case of Google, log it is possible to building on the up codes or other phone.
It is worth at the end of the add, that the design of the Yubikey was founded by the Swedish company and the 2-step process verification U2F was jointly developed by Yubico and Google. With Yubikey use employees from companies such as Facebook and Google, and the same company Yubico provides free documentation, thanks to the developers for free can deploy U2F on their websites. This login method works for:
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.